|Intelligent Application Gateway (IAG) 2007 Service Pack 2 (SP2)||IAG3.7-SP2Update-3.exe (IAG v3.7 SP2 Update 3)||47|
This update can be applied to the appliances that are running IAG 2007 SP2 or Update 2 for IAG 2007 SP2, and it can be applied to the virtual machines that are running IAG 2007 SP2 or Update 2 for IAG 2007 SP2.
For more information about IAG 2007 SP2, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Description of Intelligent Application Gateway (IAG) 2007 Service Pack 2
Description of Update 1 for Intelligent Application Gateway 2007 Service Pack 2
Description of Update 2 for Intelligent Application Gateway 2007 Service Pack 2
New features and improvements that are included in this update
We made some improvements to the IAG client components in this Update 3 for IAG 2007 SP2. We made these improvements by integrating the Microsoft Forefront Unified Access Gateway (UAG) client components into the IAG product. These improvements include support for the 32-bit and 64-bit versions of Windows 7 and for the 64-bit version of Windows Vista.
Details of the improvements
Starting with this update for IAG, the new client components that are included with UAG have been integrated into IAG. The new client components offer better compatibility with Windows 7, and other improvements. The new client components, although designed for UAG, do have a backward compatibility mode that enables clients that are running them to connect seamlessly with both UAG and IAG. This includes version of IAG that have not updated to Update 3 for IAG 2007 SP2 yet.
You should be aware that other than the client components, no other UAG functionality was incorporated into Update 3 for IAG 2007 SP2, and the new client components offer only client-side improvements.
This new feature is backward compatible. For example, assume that you download the client components from an IAG server that is running Update 3 for IAG 2007 SP2, and then you install them on an endpoint computer. In this scenario, the client components are compatible with a server that is running the latest Update 2 for IAG 2007 SP2. The backward compatibility feature is implemented by a special backward compatibility mode for the UAG client components when the client components access a pre-Update 3 for IAG 2007 SP2-based server.
Client computer update
When a client that has the legacy IAG client components accesses a server that is running Update 3 for IAG 2007 SP2, the client is upgraded by the following process:
- A currently running legacy Component Manager ActiveX object accesses the Update 3 IAG 2007 SP2 server.
- The ClientConf.xml file is downloaded, and the signature of the file is verified.
- Because the client components that are found on the server have a later version number, a new Component Manager and a Download Manager service are downloaded. These components replace the existing components.
- Because the UAG client components are installed in a different folder than the legacy IAG client components (also known as the Whale client components), the client components cannot be upgraded directly. Therefore, an uninstall process for the legacy components is started.
- To complete the uninstall process; the client computer must be restarted to unload the old versions of helper services and Winsock components.
- When a computer is restarted, the uninstall process is completed.
- The user accesses the IAG server again. An online clean installation of the client components is performed in the following location under the Program Files folder:
\Microsoft Forefront UAG\Endpoint Components
The Network Connector feature is not implemented for Windows 7, because of this; full remote network connectivity is not available for Windows 7 with IAG. Customers who require full network connectivity for Windows 7 clients have to upgrade from Intelligent Application Gateway (IAG) 2007 to Forefront Unified Access Gateway (UAG) 2010 to use support for SSTP and or Direct Access for Windows 7 that provide full network connectivity.
Client OS compatibility with Update 3 for IAG 2007 SP2
| Feature|| Windows XP 32-bit || Windows Vista 32-bit || Windows Vista 64-bit ||Windows 7 32-bit|| Windows 7 64-bit || Mac or Linux |
|Offline installation|| Yes || Yes || Yes || Yes || Yes || No |
| Online installation|| Yes || Yes || Yes || Yes || Yes || Yes |
| EndPoint Detection|| Yes || Yes || Yes || Yes || Yes || Yes |
|AttachmentWiper|| Yes || Yes || Yes || Yes || Yes || Yes |
| SSL Wrapper || Yes || Yes || Yes || Yes || Yes || Yes |
|Socket Forwarding|| Yes || Yes || No || Yes || No || No |
| Network Connector (NC)|| Yes || Yes || Yes|| No || No || No |
For more information about Browser, Operation System and Client Component features and compatibility, visit the following Microsoft Tech Web site:
Fixed issues that are included in this update
This update fixes the following issues that were not previously documented in a Microsoft Knowledge Base article:
When you view the weekly report, the monthly report, the quarterly report, or the annual report on the server by using the IAG Web Monitor, Web Monitor cannot generate reports, and you receive the following error message:
0 results were foundNote
You can view the daily reports successfully.
Additionally, you receive the following error message when you try to view quarterly report:
Too many results. Displaying only first records.Note
This error message appears only one time.
When you access a basic trunk by using the defined Server Name Translation (SNT) rules, an error occurs in the version 18.104.22.168 of the Whlglobalultilies.dll module. This error causes the W3wp.exe application to crash.
This issue occurs because of an access violation when the SNT module is accessed multiple times at the same time.
A crash occurs in the WhlHttpParser.dll module. This crash causes instability of the IAG server if under a heavy load situation.
This issue occurs because IAG parses the chunked responses incorrectly.
The IAG Secure Remote Access (SRA) engine of Update 2 for IAG 2007 SP2 cannot recognize the links that have the "HTTPS" characters in uppercase at the beginning of the URL. Additionally, the engine misses these links in the signing process. This behavior causes some applications not to work correctly. Note
This problem does not occur when the "HTTP" links are used. The IAG SRA engine interprets any uppercase and lowercase combination of the "HTTP" links.
An error occurs in the WhlServerProxy.dll module when you publish and start a Network Connector. This error causes the W3wp.exe application to crash.
When you try to use Web Monitor to view a report that is more than 65535 rows and that contains data from one month or more, the report is not generated. Note
The maximum size limit of a report that you can configure is 65535 rows in IAG.
After you apply this update, you can increase the number of rows to a value that is beyond 65536. To do this, add the following nonzero DWORD registry value:
The new maximum size limit is 1,000,000 rows.If the UseReportResultHighLimit registry value is zero or does not exist, the old limit of 65536 rows is used.
Update 2 for IAG 2007 SP2 introduces a new rule set for Microsoft Office SharePoint Server 2007 Alternative Access Mapping (AAM). This new rule set has a bug in it that blocks the usage of files that have a hyphen (-
), a comma (,
), or an apostrophe (‘
) in the file name. This issue occurs because of the rule number 55 that includes the following permitted regular expression:
However, the rule should be the following regular expression that includes the valid characters:
This bug was resolved in Office SharePoint Server 2007 by using the same update.
On a Windows Vista-based client computer that has F-Prot Antivirus 22.214.171.124 and the engine version 4.5.1 installed, you set the policy to accept any Windows Management Instrumentation (WMI) antivirus that effectively works on the computer. However, WMI translation of legacy values does not work for F-Prot Antivirus. WMI prevents policies that WMI requires. You notice that WMI detects F-Prot Antivirus successfully by using the following parameters:
AV_WMI_Company_1 Policy X
AV_WMI_Count Policy 1
AV_WMI_Installed_1 Policy TRUE
AV_WMI_Name_1 Policy F-PROT ANTIVIRUS FOR WINDOWS
AV_WMI_Running_1 Policy TRUE
AV_WMI_Version_Product_1 Policy 6.0
However, WMI cannot identify the parameters correctly. Therefore, the following parameters that are dedicated to F-Prot Antivirus show all false, and an endpoint policy cannot detect F-Prot Antivirus:
AV_FProt_Installed Policy False
AV_FProt_LastUpdate Policy 0
AV_FProt_Running Policy False
This update adds F-Prot Antivirus support for a translation from WMI. After you apply this update, the following parameters are changed and a new parameter is added:
AV_FProt_Installed Policy TRUE
AV_FProt_UptoDate Policy TRUE
AV_FProt_Running Policy TRUE
You publish various applications that are Multiple Kerberos Constrained Delegation (KCD)-enabled by using multiple trunks. When you disable or enable any trunk in IAG, IAG prevents correct operation of all KCD-enabled applications that were published by using multiple trunks. Additionally, IAG cannot identify the authentication provider and generates the following error message:
HTTPAuth::CLSAServerConnection::GetAuthenticationPackage - ERROR: Cannot find the authentication package. WinErr: 6
Consider the following scenario:
- You use the duplicate command to copy an existing basic trunk.
- You specify the name and IP address for the new trunk.
- You change the configuration of the new trunk.
- You start this trunk in IAG.
In this scenario, you cannot access the Web site for this trunk by using Windows Internet Explorer, and you receive the following error message:
The page cannot be found
Microsoft Internet Information Services (IIS) Manager shows that the Web site is in an ON state. However, the Whlfilter is in a DOWN state.
If you active the trunk in IAG and reset the IIS service, you may be able to access the Web site. If the Web site is still inaccessible, and if IIS Manager shows that the Web site is present, you can reset the IIS service again. Otherwise, you have to active the trunk in IAG and reset the IIS service again.Note
Sometimes, a reset of IIS causes the newly created Web sites not to appear in IIS Manager, and the production server may encounter other issues and interruptions.
Apply this update to resolve the basic trunk duplication bug. After a trunk is duplicated, the user can define the port assignment of a new trunk by using the Trunk Duplicate wizard.
When you use a password that includes a Unicode character, the filter cannot reply to the NTLM authentication request. Therefore, the NTLM authentication request fails.
Apply this update to resolve this bug. A regression from Update 1 for IAG 2007 SP2 was reverted.
Consider the following scenario:
- You publish some very large HTML files that are generated by SharePoint SQL Reporting Services (SRSS).
- Because each report file is around 12 MB, you set the MaxBodyBufferSize flag that allows for files that are up to 15 MB to be parsed.
- You access the HTML page, and then you click the file from a client computer.
In this scenario, you receive the following error message:
This page contains both secure and non-secure items
Additionally, you experience the following symptoms:
- The files that are from 10-20 MB cannot be parsed.
- The links that are in these files cannot be signed.
- Some scripts on the page do not work.
You download an optimized Windows Internet Explorer 8 for MSN from an MSN branded Web site. However, you cannot use this browser to access IAG correctly. The Endpoint Detection component does not work, and the portal user interface (UI) does not display in the browser correctly.
This issue occurs because IAG incorrectly identifies the browser as an unsupported browser when MSN is in the User-Agent header.
Apply this update to resolve this issue. After you apply this update, the Endpoint Detection component works correctly for the client computers that have an optimize Windows Internet Explorer 8 for MSN installed.
When you try to request a Web page, or when you try to download a file that exceeds the default parsing buffer limit of 10 MB, the body buffer of IAG is exhausted. Additionally, you receive the following error message:
HTTP 500 - Internal Server ErrorNote
This error message contains no information that helps the users or IAG administrators identify the issue. Additionally, this behavior also occurs when a buffer exceeds a limit that is defined by the MaxBodyBufferSize registry key.
For more information about how to configure the maximum size of downloadable files, click the following article number to view the article in the Microsoft Knowledge Base:
Description of Update 3 for e-Gap Appliance 3.6 and Update 4 for Intelligent Application Gateway 2007
After you apply this update, a notification message is sent to IAG Web Monitor if the downloaded file size exceeds the default limit of 10 MB, or if the downloaded file size exceeds the limit defined in the MaxBodyBufferSize registry key. To view this message, you can open the Web Monitor, and then you select the Event Viewer
The following is an example of this message:
Request failed. Trunk: 37sp2; Secure=1; Session ID: 78B802AC-A9F8-401F-8413-84ACA2B76663; Application ID: 7E955CBE86E540178CA889F414345F65; Application Name: BusinessTest; URL: /Attachment%20Wiper/15%20MB%20HTML.html; Message: Required memory size (15543107 bytes) is exceeding a pre-defined buffer size limit (7000000 bytes).
You can either edit the buffer size limit by using the registry key or configure the file to be skipped during the parsing process. For more information about how to edit the buffer size limit by using the registry key or about how to configure the file to be skipped during the parsing process, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Description of Update 5 for Intelligent Application Gateway 2007 Service Pack 1
Description of Update 3 for e-Gap Appliance 3.6 and Update 4 for Intelligent Application Gateway 2007
After you install the security update 971726 for Active Directory Federation Services (ADFS) on an IAG server, the logon process fails. Web Monitor shows an incorrect parameter value for the wctx
parameter in the Portal_Rule1
Security update 971726 is documented in security bulletin MS09-070.
After you apply this update, the rule set parameter is set to the ".*